Re: [openstack-dev] [panko][ceilometer][keystone] Support X-Is-Admin-Project
Gord, Thanks for the reply. On Sep 7, 2017, at 4:15 PM, gordon chung> wrote: On 2017-09-07 02:15 PM, Innus, Martins wrote: The fix seems to be something like the attached patch and setting the appropriate configs in keystone.conf. One curious thing is that with the default keystone config, requests from all projects have "X-Is-Admin-Project: True” If I set admin_project_domain_name and admin_project_name , only then do the non admin projects have the header set to False. apologies, do you have more details on what 'X-Is-Admin-Project' is? i'm not familiar with this header. As far as I can tell its meant for designating an overall cloud admin account. Reference to creation of the keystone config options: https://review.openstack.org/#/c/240719/ Where the HEAT team seems to have used it for the same purpose, but by making changes in the policy.json: https://review.openstack.org/#/c/316627/ But in my limited understating of how Panko works, using the header seems to be the easiest way to get this functionality: https://github.com/openstack/keystonemiddleware/commit/0562670d4e56c257aec8db5a2bb651b5e59fddb2 currently, the behaviour is that: - a member of a project can only see its own events - an admin of a project can see all the events of a project (and any events without any project associated with it) if this is the way of denoting a user is a 'super-admin' that has access to all events, i'm ok with it. Yeah, thats what I’m going for, but as I said, I’ve barely stared to scratch the surface of OpenStack, so there way be a better way of doing this. Thanks Martins __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [panko][ceilometer][keystone] Support X-Is-Admin-Project
On 2017-09-07 02:15 PM, Innus, Martins wrote: > The fix seems to be something like the attached patch and setting the > appropriate configs in keystone.conf. > > > One curious thing is that with the default keystone config, requests from all > projects have "X-Is-Admin-Project: True” > > If I set admin_project_domain_name and admin_project_name , only then do the > non admin projects have the header set to False. apologies, do you have more details on what 'X-Is-Admin-Project' is? i'm not familiar with this header. currently, the behaviour is that: - a member of a project can only see its own events - an admin of a project can see all the events of a project (and any events without any project associated with it) if this is the way of denoting a user is a 'super-admin' that has access to all events, i'm ok with it. cheers, -- gord __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [panko][ceilometer][keystone] Support X-Is-Admin-Project
Hi, Just getting started with OpenStack and one of the stumbling blocks so far is that unless I missed it, there is no way for the main admin user to request event data for all projects: [root@srv-m10-05-02 keystone]# ceilometer event-list -q 'event_type=compute.instance.create.start' +++---++ | Message ID | Event Type | Generated | Traits | +++---++ +++---++ Where there are definitely instances running and the user that created them has no issue seeing the events: [minnus@srv-m10-05-02 ~]$ ceilometer event-list -q 'event_type=compute.instance.create.start' --limit 1 +--+---++---+ | Message ID | Event Type| Generated | Traits | +--+---++---+ | b7ce7652-9745-487d-9fcc-570c7c972080 | compute.instance.create.start | 2017-08-29T15:37:39.707727 | +--+-+--+ | | | | | | name | type | value …… The fix seems to be something like the attached patch and setting the appropriate configs in keystone.conf. One curious thing is that with the default keystone config, requests from all projects have "X-Is-Admin-Project: True” If I set admin_project_domain_name and admin_project_name , only then do the non admin projects have the header set to False. This is on: - Centos 7.3 - Ocata - Panko backed by MariaDB. Is this change something that would be accepted? Thanks! Martins panko.patch Description: panko.patch __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev